← Back to Skills Marketplace
1450
Downloads
3
Stars
1
Active Installs
2
Versions
Install in OpenClaw
/install paytoll
Description
27 tools for DeFi, DEX swaps, cross-chain bridges, Twitter/X, on-chain token data, crypto utilities, and LLM access via x402 micro-payments on Base. No API keys needed — payment is the auth.
Usage Guidance
This skill is plausible for pay-per-call DeFi tools, but exercise caution: 1) The SKILL.md requires a PRIVATE_KEY and node and instructs running an npx package at runtime — npx will fetch and execute remote code, so do not expose your main wallet key. 2) Use a dedicated, funded-with-minimal-amounts wallet (as advised) or a read-only / watch-only signer when possible. 3) Before enabling the skill, review the npm package and the linked GitHub repo to confirm that signing is done locally and nothing is exfiltrated; prefer a pinned package version or running audited code locally rather than npx -y fetching latest. 4) Because the registry metadata contradicted the SKILL.md, ask the publisher to clarify and provide a reproducible install and package integrity info (exact npm package version / checksum). 5) If you must test, do so in an isolated environment or VM with a throwaway wallet. If you want help auditing the linked GitHub or npm package, provide the package name/version and I can list the files/entry points to check.
Capability Analysis
Type: OpenClaw Skill
Name: paytoll
Version: 1.0.8
The skill bundle is classified as suspicious due to its high-risk execution model and reliance on external, dynamically loaded components. It executes `npx -y paytoll-mcp`, which downloads and runs a third-party package from npm, posing a significant supply chain risk. This package is granted access to the user's `PRIVATE_KEY` environment variable, which, despite claims of local-only usage for micro-payments, introduces a critical trust dependency. Furthermore, the skill states that the 'MCP server discovers tools dynamically from the API,' meaning the agent's capabilities can change without explicit review of the skill bundle, potentially introducing new, unvetted functionalities. The `SKILL.md` file contains these instructions and requirements.
Capability Assessment
Purpose & Capability
The skill's stated purpose (27 DeFi/DEX/bridges/LLM micro-pay tools paid via Base USDC) matches the tool list in SKILL.md and the need for a wallet to pay microfees is plausible. However the registry-level metadata shown earlier (no required env vars or bins) contradicts the SKILL.md header which declares requires.env: ["PRIVATE_KEY"] and requires.bins: ["node"]. That mismatch is concerning and unexplained.
Instruction Scope
SKILL.md instructs the agent to run an MCP client via npx (metadata: mcpServers.paytoll.command = npx -y paytoll-mcp) and to use a PRIVATE_KEY env var for signing EIP‑712 payment authorizations. The instructions claim the private key "never leaves your machine" and that the MCP only receives signed payment authorizations, but there is no verifiable enforcement here — the runtime will fetch and execute remote code which could in principle transmit more data. The instructions are otherwise scoped to the stated features and do not request unrelated system files, but the broad phrase 'paid automatically from the user's configured wallet' implies autonomous signing/payment behavior that increases risk if the agent can call the skill without additional user confirmation.
Install Mechanism
There is no formal install spec, but the SKILL.md metadata specifies runtime execution via npx -y paytoll-mcp. npx dynamically fetches and runs an npm package (un-pinned), which is moderate-to-high risk: code is fetched at runtime from the npm registry with no integrity/pinning or reproducible install specified. The linked GitHub repo gives a place to audit, but dynamic npx execution means the published npm package could differ from the repo or change later.
Credentials
The only declared required environment variable is PRIVATE_KEY, which is proportionate to the stated payment-auth model (micro-payments require signing). However, a private key is highly sensitive. The SKILL.md asks for a "dedicated" wallet with minimal funds (good guidance), but providing a raw PRIVATE_KEY to a runtime that will execute remotely-fetched JavaScript raises a real risk of key exfiltration if the runtime misbehaves. Also note the top-level registry data earlier that claimed no required env vars — that inconsistency is suspicious.
Persistence & Privilege
always: false (good). The skill is allowed to be invoked autonomously (disable-model-invocation: false), which is the platform default. Combined with the PRIVATE_KEY requirement and the runtime npx client, autonomous invocation increases blast radius (the skill could sign payments without explicit per-call confirmation unless the agent enforces it). The skill does not request system-wide config changes.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install paytoll - After installation, invoke the skill by name or use
/paytoll - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.8
**Expanded to 27 tools across DeFi, DEX swaps, bridges, social, on-chain data, and more.**
- Added DEX swap and cross-chain bridge tools, powered by Li.Fi aggregator, supporting 12 networks.
- Introduced comprehensive on-chain token data, pool search, and trending token analytics.
- Integrated full Twitter/X toolset: tweet/post, user/tweet search, and profile lookup.
- Improved wallet security language: recommends dedicated wallets and clarifies private key usage.
- Updated pricing for some tools and clarified per-call costs, especially for new features.
- New homepage, repository links, and open source guarantees included in documentation.
v1.0.0
Initial release of the paytoll skill.
- Provides DeFi analytics, crypto utilities, and AI model access via per-call USDC micropayments on Base.
- Supports Aave market queries, yield searches, user positions, and DeFi transaction data generation.
- Includes token price lookup, ENS resolution, and wallet validation tools.
- Offers LLM proxy calls to OpenAI, Anthropic, and Google Gemini models.
- No API keys required; payment is handled from the user’s wallet using the PRIVATE_KEY environment variable.
- All tool costs are transparently listed and require USDC and ETH for payments and gas.
Metadata
Frequently Asked Questions
What is Paytoll?
27 tools for DeFi, DEX swaps, cross-chain bridges, Twitter/X, on-chain token data, crypto utilities, and LLM access via x402 micro-payments on Base. No API keys needed — payment is the auth. It is an AI Agent Skill for Claude Code / OpenClaw, with 1450 downloads so far.
How do I install Paytoll?
Run "/install paytoll" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Paytoll free?
Yes, Paytoll is completely free (open-source). You can download, install and use it at no cost.
Which platforms does Paytoll support?
Paytoll is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Paytoll?
It is built and maintained by foodaka (@foodaka); the current version is v1.0.8.
More Skills